b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Internal Revenue Service Databases\n                  Continue to Be Susceptible to Penetration\n                                  Attacks\n\n\n                                       December 14, 2007\n\n                              Reference Number: 2008-20-029\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n Redaction Legend:\n 2(f) = Risk Circumvention of Agency Regulation or Statute (whichever is applicable)\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           December 14, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n FROM:                 (for)   Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Internal Revenue Service Databases Continue to\n                               Be Susceptible to Penetration Attacks (Audit # 200720017)\n\n This report presents the results of our review to determine whether databases used by Internal\n Revenue Service (IRS) computer applications are secure from exploitation by unauthorized\n individuals. This review was included in the Treasury Inspector General for Tax Administration\n Fiscal Year 2007 Annual Audit Plan and was part of the Information Systems Programs unit\xe2\x80\x99s\n statutory requirements to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS continues to have recurring information security weaknesses that make its databases\n susceptible to penetration attacks. Because the IRS stores its taxpayer, financial, and other data\n in more than 2,100 databases, attacks on these databases could result in taxpayer identity theft\n and fraud. Such attacks could also result in financial losses to the Federal Government.\n\n Synopsis\n Since March 2003, we have identified and reported significant weaknesses in IRS database\n security controls. Our previous reviews have demonstrated that control weaknesses could be\n exploited to gain access to sensitive taxpayer information and disrupt IRS computer operations.\n Although we did not exploit the vulnerabilities during this review, we found the security\n weaknesses remain. We are very concerned that these high-risk weaknesses continue to exist\n and that greater efforts have not been taken to correct them.\n To ease the installation process, vendors typically ship database software with installation\n accounts that contain the same (default) logon and same password. In some cases, the password\n\x0c                Internal Revenue Service Databases Continue to Be Susceptible\n                                    to Penetration Attacks\n\n\n\nis blank. The IRS requires that these passwords be immediately changed after database\ninstallation. During this review, we tested more databases than in prior reviews for the existence\nof default or blank passwords for installation accounts. Based on our scans of IRS networks, we\ndetermined that 11 percent of the approximately 1,900 databases scanned had 1 or more\ninstallation accounts with a default or blank password. A total of 369 installation accounts had\ndefault or blank passwords; 26 contained powerful database administrator privileges. Malicious\nusers can exploit accounts with default or blank passwords to steal taxpayer identities and carry\nout fraud schemes. Databases found with default or blank passwords during our scans include\nthose that contain personally identifiable tax information.\nThese password weaknesses continue to exist because of deficiencies in the IRS\xe2\x80\x99 process for\nidentifying and resolving them. The IRS Computer Security Incident Response Center conducts\nmonthly scans to detect default and blank database passwords. While the Center identifies\npassword weaknesses on the systems it scans, it does not adequately scan all IRS databases. The\nprocess for reviewing these scan results has resulted in the correction of many weaknesses.\nHowever, we identified deficiencies in the process that hamper the effectiveness of the IRS team\ntasked with correcting these weaknesses.\nChanging default and blank passwords after database installation is a fundamental security rule\nthat all database administrators should know to follow. We have repeatedly apprised the IRS of\nthis issue, and it has taken actions to publish standards and identify and correct these password\nweaknesses. Because these actions have resulted in only limited success, we conclude that\ndefault and blank database passwords continue to exist because managers and employees are not\ntaking seriously their responsibilities for implementing secure databases. Consequently, the IRS\nneeds to take stronger actions to ensure employees take these responsibilities seriously.\nWe also found that a majority of the IRS databases scanned do not have the latest software\nupdates (patches) installed. Our scans found 65 percent of the databases scanned needed to be\nupdated, with more than 300 databases being outdated from 11 months to 20 months. As a\nresult, outdated IRS databases were collectively susceptible to nearly 40,000 database\nvulnerabilities, one-half of which are considered high risk. These vulnerabilities include those\nused for common penetration attacks. IRS standard database security configurations require that\ndatabase software be kept current with the most recent software updates. These updates protect\ncomputer software from emerging vulnerabilities that can be used to attack it and gain access to\nits data.\nAlthough the IRS is adequately identifying appropriate patches for its databases, installation of\nthe patches is not currently being monitored and there is no automated tool available to detect\nwhether patches have been installed.\n\n\n\n\n                                                                                                    2\n\x0c               Internal Revenue Service Databases Continue to Be Susceptible\n                                   to Penetration Attacks\n\n\n\n\nRecommendations\nWe recommended the Chief Information Officer ensure security training is provided to\nemployees with key security responsibilities and coordinate with other heads of office to\nemphasize the need for disciplinary actions for managers and employees who fail to fulfill their\nsecurity responsibilities. The Chief Information Officer should improve the process for\nidentifying and correcting accounts with blank or default passwords by expanding the scanning\ncriteria, analyzing the Computer Security Incident Response Center scan results, and changing\nthe methodology for determining repeat findings. In addition, the Chief Information Officer\nshould establish a process for monitoring database patch installations and updates to current\nversions of database software.\n\nResponse\nIRS management agreed with all of our recommendations. The Associate Chief Information\nOfficer, Cybersecurity, will update the security training curriculum and courseware to\nspecifically include the need to change default and blank passwords and will prepare a\nmemorandum reemphasizing the need for disciplinary action for managers and employees who\nare not fulfilling their security responsibilities. The Computer Security Incident Response\nCenter will implement and expand a quarterly database scanning component to its vulnerability\nmanagement program. The Cybersecurity organization will expand scanning efforts to include\ncomputer names and other identifiable information needed to efficiently resolve password\nweaknesses, disseminate scan results to appropriate parties, trend scan results to detect repeat\noffenders, track and report quarterly on the status to those employees responsible for correcting\ndefault and blank passwords, and purchase database vulnerability scanning software to detect the\nabsence of needed security patches on IRS databases. Management\xe2\x80\x99s complete response to the\ndraft report is included as Appendix VII.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                   3\n\x0c                     Internal Revenue Service Databases Continue to Be Susceptible\n                                         to Penetration Attacks\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          Database Accounts With Default or Blank Passwords Continue\n          to Be Found...................................................................................................Page 2\n                    Recommendations 1 through 3:...........................................Page 6\n\n                    Recommendation 4:..........................................................Page 7\n\n          Databases Are Not Adequately Updated to Protect Against Emerging\n          Vulnerabilities...............................................................................................Page 7\n                    Recommendation 5:..........................................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Prior Penetration Test Reports .............................................Page 14\n          Appendix V \xe2\x80\x93 Additional Password Test Information .................................Page 15\n          Appendix VI \xe2\x80\x93 Additional Patch Test Information.......................................Page 17\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report.....................Page 21\n\x0c\x0c                 Internal Revenue Service Databases Continue to Be Susceptible\n                                     to Penetration Attacks\n\n\n\n\n                                          Background\n\nThe Internal Revenue Service (IRS) is responsible for maintaining security over computer\nsystems that process more than $2 trillion in receipts and $11 billion in expenditures. These\nsystems must maintain the privacy of tax information for about 134 million taxpayers. The IRS\nstores its taxpayer, financial, and other data in more than 2,100 databases. Due to the sensitivity\nof these data, the IRS could be a target for malicious users intent on committing identity theft\nand fraud. Theft of the data on these systems could also result in financial losses to the Federal\nGovernment. Because the IRS has many employees and contractors with access to its networks,\nit is vulnerable to insider theft of its confidential data.\nWhile computer security is typically applied in layers around a computer system, the last and\npossibly best line of defense in protecting IRS data are database security controls. However, our\nprior audits have identified significant weaknesses in IRS database security controls. Most\nrecently, we reported that standard database security configurations have not been effectively\nimplemented on IRS databases.1 In addition, our previous penetration tests have demonstrated\nthat control weaknesses could be exploited to gain access to sensitive taxpayer information and\ndisrupt IRS computer operations.2\nWe conducted this review to determine whether two key control weaknesses identified in our\nSeptember 2005 penetration test report had been corrected. We tested more databases than in\nour previous penetration tests for the existence of default or blank passwords for installation\naccounts, but we did not attempt to exploit the weaknesses. This review was performed at the\nIRS National Headquarters in Washington, D.C., in the Offices of the Chief Information Officer\nduring the period May through August 2007.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n1\n  Standard Database Security Configurations Are Adequate, Although Much Work Is Needed to Ensure Proper\nImplementation (Reference Number 2007-20-129, dated August 22, 2007).\n2\n  See Appendix IV for the list of prior penetration test reports.\n                                                                                                     Page 1\n\x0c\x0c                Internal Revenue Service Databases Continue to Be Susceptible\n                                    to Penetration Attacks\n\n\n\nThe actions taken to date have not been sufficient because the IRS continues to have difficulty\nensuring default and blank database passwords are not used. We scanned IRS networks and\ndetermined that 11 percent of the approximately 1,900 databases scanned had 1 or more\ninstallation accounts with default or blank passwords. We found a total of 369 installation\naccounts with default or blank passwords. Of these, 26 accounts had powerful database\nadministrator privileges. Appendix V provides additional details on the results of our tests.\nMalicious users can exploit accounts with default or blank passwords to steal taxpayer identities\nand carry out fraud schemes. In addition, because multiple users can use the accounts, it is\ndifficult to establish accountability for actions taken. For production systems, application\ndevelopers can exploit default or blank passwords to access production databases for their\napplication. Once inside, developers can make changes to production databases and applications\nthat are unauthorized and untested, resulting in unexpected consequences such as breaking\napplication functionality or preventing its use.\nWhile we did not attempt to exploit default or blank passwords to gain access to IRS databases\nin this review, attempts in our previous penetration audits have been successful. In the\nSeptember 2005 penetration test report, database administrator accounts with default or blank\npasswords were used to gain access to employee, taxpayer, and corporate tax forms. We have\nalso demonstrated in the prior penetration reports that, once access is gained to the administrative\naccounts for a database, a malicious user can elevate those privileges to other databases and\noperating systems, gaining access to even more taxpayer accounts. Accordingly, the IRS should\nhave no tolerance for accounts with default and blank passwords.\nWe attempted to associate IRS applications with the databases we found to assess the effect on\nthe IRS in the event these applications were compromised. Using information obtained during\nour scans and available IRS resources, we were able to identify applications for less than\none-half of the databases found. On May 25, 2007, we asked the IRS to identify the remaining\napplications and confirm the applications we were able to identify through research. However,\nthe IRS has been unable to fully provide this information, most likely because it does not have a\ncomprehensive source of information for its applications and their associated databases. Some of\nthe applications we were able to identify with default or blank database passwords are shown in\nTable 1.\n\n\n\n\n                                                                                             Page 3\n\x0c\x0c\x0c               Internal Revenue Service Databases Continue to Be Susceptible\n                                   to Penetration Attacks\n\n\n\n   \xe2\x80\xa2   Insufficient Information: Scan results forwarded by the CSIRC do not include all\n       information needed to timely identify the computers on which the weaknesses were\n       found. In particular, computer names are not included, only network addresses. Because\n       network addresses can change, computer names are also needed.\nChanging default and blank passwords after database installation is a fundamental security rule\nthat all database administrators should know to follow. We have repeatedly apprised the IRS of\nthis issue. The IRS has published standard database security configuration standards addressing\nthis weakness and established processes for identifying and correcting installation default\npassword weaknesses. Because these actions have resulted in only limited success in resolving\nthis issue, we conclude that default and blank database passwords continue to exist in part\nbecause managers and employees are not taking seriously their responsibilities for implementing\nsecure databases. Consequently, the IRS needs to take stronger actions.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Implement the previously stated corrective action to identify employees\nwith key security responsibilities and provide security training to these employees, specifically\non default and blank passwords.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Associate Chief Information Officer, Cybersecurity, will update the existing security\n       training curriculum and courseware to specifically include the need to change default and\n       blank passwords.\nRecommendation 2: Coordinate with other heads of office to emphasize the need for\ndisciplinary actions for managers and employees who are not fulfilling their security\nresponsibilities, as evidenced by repeat findings of failure to comply with IRS security\nconfiguration requirements for servers, databases, and other computing platforms. Specific\nemphasis is needed to ensure default and blank passwords are removed for database\nadministrator accounts placed into operation.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Associate Chief Information Officer, Cybersecurity, will prepare a memorandum\n       reemphasizing the need for disciplinary action, as appropriate, for managers and\n       employees who are not fulfilling their security responsibilities.\nRecommendation 3: Expand the criteria used for scanning IRS databases for the presence of\nadministrator accounts with default or blank passwords. These criteria should encompass\nadditional database software used by the IRS, a broader range of account and password\ncombinations, and additional ports in which databases can be accessed. In addition, CSIRC scan\n\n\n                                                                                          Page 6\n\x0c                   Internal Revenue Service Databases Continue to Be Susceptible\n                                       to Penetration Attacks\n\n\n\nresults should be expanded to include computer names and other identifiable information needed\nto more quickly resolve password weaknesses.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Associate Chief Information Officer, Cybersecurity, will implement and expand a\n         quarterly database scanning component to the vulnerability management program. The\n         Cybersecurity organization will expand scan efforts to include computer names and other\n         identifiable information needed to efficiently resolve password weaknesses. In the near\n         term, the Cybersecurity organization will purchase the technology, establish processes for\n         conducting scans, and expand parameters of current testing capabilities.\nRecommendation 4: Ensure the employees responsible for correcting default and blank\npasswords directly review the CSIRC scan results. In addition, the methodology for determining\nrepeat findings should be modified to include running totals for computers identified on multiple\nscans.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Associate Chief Information Officer, Cybersecurity, will ensure dissemination of scan\n         results to appropriate parties and trending of scan results to detect repeat offenders. The\n         Cybersecurity organization will also track and report quarterly on the status to those\n         employees responsible for correcting default and blank passwords. Until the solution is\n         fully implemented, it will purchase the technology and establish processes for conducting\n         and reviewing scans.\n\nDatabases Are Not Adequately Updated to Protect Against Emerging\nVulnerabilities\nIn the September 2005 penetration test report, we identified computers susceptible to several\nhigh-risk operating system, database, and web server attacks. In some instances, operating\nsystem vulnerabilities were used to gain access to the computer, providing full access to all of\nthe computer files. The computers were susceptible because software updates to protect against\nthe vulnerabilities were not installed. Some computers were also found to be running outdated\nversions of the operating system. We also previously reported weaknesses with the IRS\xe2\x80\x99\nsoftware patching process,3 although database software was not specifically assessed.4 Given the\nfindings in these prior reports, we focused this review on assessing how susceptible IRS\ndatabases were to database-specific vulnerabilities.\n\n\n\n3\n  A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n4\n  Uninstalled Computer Security Patches Continue to Put Computer Systems at Risk (Reference\nNumber 2006-20-167, dated September 21, 2006).\n                                                                                                             Page 7\n\x0c                     Internal Revenue Service Databases Continue to Be Susceptible\n                                         to Penetration Attacks\n\n\n\nIRS standard database security configurations specify that database software should be kept\ncurrent with the most recent software updates. These updates protect computer software from\nemerging vulnerabilities that can be used to attack it and gain access to its data. Updates can be\nprovided in the form of a patch, which fixes a specific vulnerability, or by installing a new\nsoftware version.\nOur scans of the IRS network found that 1,242 (65 percent) of the nearly 1,900 databases\nscanned need to be updated. These databases were not operating at the current database software\nversion as of March 2007, the date our software scanner was last updated. Because our scans\nwere conducted in May 2007, these databases were outdated for at least 2 months, with more\nthan 300 databases found to be outdated from 11 months to 20 months.\nIn addition, over one-third of the databases\xe2\x80\x99 versions were so out of date that the manufacturer\nno longer provides security patches or other updates. Our scans found 45 outdated database\nversions for the 5 types of database software we tested. Appendix VI provides additional details\non the results of our tests.\nAs a result, outdated IRS databases were collectively susceptible to nearly 40,000 database\nvulnerabilities, one-half of which are considered high risk. These vulnerabilities include those\nused for common penetration attacks.5 Malicious users could use one or more of these attack\nmethods to gain access to IRS databases, potentially providing unauthorized access to taxpayer\ninformation, corrupting data, and shutting down the databases.\nWe reviewed the IRS process for identifying patches and monitoring their implementation. The\nIRS is adequately identifying database patches for its database software. The CSIRC is primarily\nresponsible for identifying available patches and notifying IRS functions of these patches and\nrelated vulnerabilities. We reviewed the CSIRC patch inventory and found it adequately\nidentified current patches for the database software used by the IRS.\nHowever, installation of database patches is not currently being monitored. The CSIRC requires\nin its critical patch advisories that persons responsible for patching affected systems report the\nstatus of patch installation to the CSIRC. However, CSIRC personnel informed us they do not\nreceive status information on database patch installations. This may be in part due to the lack of\nnotice of this requirement or method for reporting patch status on the CSIRC\xe2\x80\x99s web site. The\nCSIRC has not aggressively followed up with those organizations required to implement patches.\nIn addition, automated tools are not available to detect whether database patches or current\nsoftware versions have been implemented. The IRS does track the status of patches for computer\noperating systems. However, the scans are able to identify patches only for specific operating\nsystems, not databases.\n\n\n\n5\n    See Appendix VI for descriptions of these attack methods.\n                                                                                            Page 8\n\x0c               Internal Revenue Service Databases Continue to Be Susceptible\n                                   to Penetration Attacks\n\n\n\nThe process of implementing database updates in the IRS is complex because many IRS\norganizations are involved in the process. Therefore, due to the amount of testing required to\nidentify specific reasons why updates are not installed, we plan to further examine the processes\nfor updating database software in our Fiscal Year 2008 audits.\nIn general, though, we believe one of the primary reasons why databases are not updated is\nreluctance by administrators to install patches because of a concern that they may otherwise\nimpair the application being patched. In our September 2006 patching report, we reported a\nsimilar reluctance for installation of operating system patches.\n\nRecommendation\nRecommendation 5: The Chief Information Officer should establish a process for monitoring\ndatabase patch installations and updates to current versions of database software. This process\nshould make use of automated scans or other tools where possible to verify the patches and\nupdates are installed.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Cybersecurity organization will purchase database vulnerability scanning software to\n       detect the absence of needed security patches on IRS databases. Until the solution has\n       been fully implemented, it will use patch advisories to reemphasize the methods for\n       reporting patch status to the CSIRC.\n\n\n\n\n                                                                                           Page 9\n\x0c\x0c                  Internal Revenue Service Databases Continue to Be Susceptible\n                                      to Penetration Attacks\n\n\n\n         C. Determined whether causes identified in the report Uninstalled Computer Security\n            Patches Continue to Put Computer Systems at Risk (Reference Number 2006-20-167,\n            dated September 21, 2006) applied to database patching issues.1 We reviewed the\n            IRS process for identifying database software updates and monitoring their\n            implementation. We did not review the process for implementing software updates\n            due to the complexity of the process for implementing databases and the numerous\n            IRS organizations involved. Therefore, due to the amount of testing required to\n            identify specific reasons why updates are not installed, we plan to further examine the\n            processes for updating database software in our Fiscal Year 2008 audits.\n         D. Determined whether blank or default passwords have been previously identified and\n            reported by the CSIRC.\nV.       Assessed the effect of the exploitable vulnerabilities found.\n         A. Assessed the access levels for accounts found to have blank or default passwords.\n         B. Assessed the severity of the databases that had not been adequately updated.\n         C. Identified the IRS business risk by identifying the applications associated with\n            vulnerable databases.\n\n\n\n\n1\n A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n                                                                                                           Page 11\n\x0c               Internal Revenue Service Databases Continue to Be Susceptible\n                                   to Penetration Attacks\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichelle Griffin, Audit Manager\nMichael Howard, Lead Auditor\nCharles Ekunwe, Senior Auditor\nJacqueline Nguyen, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                     Page 12\n\x0c              Internal Revenue Service Databases Continue to Be Susceptible\n                                  to Penetration Attacks\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                       Page 13\n\x0c               Internal Revenue Service Databases Continue to Be Susceptible\n                                   to Penetration Attacks\n\n\n\n                                                                                 Appendix IV\n\n                     Prior Penetration Test Reports\n\nThis report is the fourth since March 2003 to identify weaknesses resulting from penetration tests\nof IRS networks and computer systems. The prior reports are:\n   \xe2\x80\xa2   Internal Penetration Test of the Internal Revenue Service\xe2\x80\x99s Networked Computer Systems\n       (Reference Number 2005-20-144, dated September 2005).\n   \xe2\x80\xa2   Penetration Test of Internal Revenue Service Computer Systems (Reference\n       Number 2004-20-073, dated April 2004).\n   \xe2\x80\xa2   Penetration Test of Internal Revenue Service Computer Systems (Reference\n       Number 2003-20-082, dated March 2003).\n\n\n\n\n                                                                                          Page 14\n\x0c\x0c                  Internal Revenue Service Databases Continue to Be Susceptible\n                                      to Penetration Attacks\n\n\n\n                 Table 2: Networks in Which Databases Were Found With\n                              Blank and Default Passwords\n                                   Databases Found\n                                                              Databases         Percentage With Blank and\n           Network                  With Blank and\n                                                               Tested               Default Passwords\n                                   Default Passwords\n IRS main network                          196                   1,745                      11.2%\n Chief Counsel                               2                    52                        3.8%\n Criminal Investigation                      0                    61                        0.0%\n Totals                                    198                   1,858                     10.7%\nSource: Treasury Inspector General for Tax Administration assessment of selected IRS databases using data\ncollected from scans of IRS databases.\n\nOur scans found installation database accounts with default and blank passwords on production\nand nonproduction databases. Nonproduction databases include those used for development of\napplications and, in a few instances, for building databases. While nonproduction databases\ngenerally do not store taxpayer information, blank or default passwords could still be exploited\nto obtain sensitive information such as business rules and application programs.\n\n\n\n\n                                                                                                       Page 16\n\x0c\x0c\x0c\x0c            Internal Revenue Service Databases Continue to Be Susceptible\n                                to Penetration Attacks\n\n\n\n\xe2\x80\xa2   Buffer Overflow: This technique exploits databases by sending more information to the\n    database than expected, thus forcing the additional data to be stored in another part of the\n    computer\xe2\x80\x99s memory. If this memory permits execution of computer commands and the\n    excess data contain database or computer instructions, then an attacker can run malicious\n    commands to gain access to the database.\n\xe2\x80\xa2   SQL Injection: This technique is used to manipulate web sites into sending SQL queries\n    to a database to alter, insert, or delete data in a database.\n\xe2\x80\xa2   Privilege Escalation: This technique is used by an attacker to change the privilege level\n    of a database process and take control of that process to bypass security controls.\n\n\n\n\n                                                                                        Page 20\n\x0c   Internal Revenue Service Databases Continue to Be Susceptible\n                       to Penetration Attacks\n\n\n\n                                                   Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 21\n\x0cInternal Revenue Service Databases Continue to Be Susceptible\n                    to Penetration Attacks\n\n\n\n\n                                                       Page 22\n\x0cInternal Revenue Service Databases Continue to Be Susceptible\n                    to Penetration Attacks\n\n\n\n\n                                                       Page 23\n\x0cInternal Revenue Service Databases Continue to Be Susceptible\n                    to Penetration Attacks\n\n\n\n\n                                                       Page 24\n\x0c'